Merge pull request #512 from mdr-engineering/feature/cw_MSOCI-2220_CreateCriblWorkers

MSOCI-2220: Worker load balancers and security groups, oh my!

base/splunk_servers/alsi/config.tf

@@ -10,15 +10,18 @@ locals {
 
   # If cribl is being used for log ingestion, remember to turn on splunk_private_hec
   # in `splunk_servers/indexer_cluster/config.tf`, too.
+  # Alternatively, enable the Splunk Load Balanced destination and use indexer discovery.
   alsi_workers_default = 0 # how many cribl workers
   alsi_workers_exceptions = {
     afs-mdr-test-c2-gov = 2,
+    mdr-prod-bas        = 2,
   }
   alsi_workers = lookup(local.alsi_workers_exceptions, var.account_name, local.alsi_workers_default)
 
   alsi_splunk_nlb_default = false # splunk://moose-alsi-splunk.xdr{,test}.accenturefederalcyber.com:9997 and 9998
   alsi_splunk_nlb_exceptions = {
     afs-mdr-test-c2-gov = true,
+    mdr-prod-bas        = true,
   }
   alsi_splunk_nlb = lookup(local.alsi_splunk_nlb_exceptions, var.account_name, local.alsi_splunk_nlb_default)
 
@@ -28,9 +31,10 @@ locals {
   }
   alsi_elastic_alb = lookup(local.alsi_elastic_alb_exceptions, var.account_name, local.alsi_elastic_alb_default)
 
-  alsi_hec_alb_default = false # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8080
+  alsi_hec_alb_default = false # https://moose-alsi-hec.xdr{,test}.accenturefederalcyber.com -> 8088
   alsi_hec_alb_exceptions = {
     afs-mdr-test-c2-gov = true,
+    mdr-prod-bas        = true,
   }
   alsi_hec_alb = lookup(local.alsi_hec_alb_exceptions, var.account_name, local.alsi_hec_alb_default)
 

base/splunk_servers/alsi/elb-hec.tf

@@ -68,8 +68,9 @@ resource "aws_lb_target_group" "alsi-alb-hec-target-8088" {
   health_check {
     enabled  = true
     path     = "/api/v1/health"
-    port     = 9000
+    port     = 8088
     protocol = "HTTPS"
+    matcher  = "200,405"
   }
 
   # sure would be nice to check the actual port

base/splunk_servers/alsi/workers.tf

@@ -1,6 +1,9 @@
 # Some instance variables
 locals {
   instance_name_worker = "${var.prefix}-alsi-worker"
+
+  splunk_vpc_cidrs = toset(concat([var.vpc_cidr], local.cidr_map["vpc-private-services"]))
+  data_sources     = toset(concat(tolist(local.splunk_vpc_cidrs), local.splunk_data_sources))
 }
 
 resource "aws_network_interface" "worker" {
@@ -34,7 +37,7 @@ resource "aws_instance" "worker" {
     http_endpoint = "enabled"
     # checkov:skip=CKV_AWS_79:see tfsec explanation
     # tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
-    http_tokens   = "optional"
+    http_tokens = "optional"
   }
 
   ami = local.ami_map[local.ami_selection]
@@ -163,7 +166,7 @@ resource "aws_security_group_rule" "alsi_worker_alb_elastic2" {
 # TODO: Repeat top 2 for HEC and S2S forwarders
 
 resource "aws_security_group_rule" "alsi_worker_vpn_in1" {
-  description       = "Web access"
+  description       = "Web access from VPN"
   type              = "ingress"
   from_port         = 9000
   to_port           = 9000
@@ -172,7 +175,7 @@ resource "aws_security_group_rule" "alsi_worker_vpn_in1" {
   security_group_id = aws_security_group.alsi_worker_security_group.id
 }
 resource "aws_security_group_rule" "alsi_worker_vpn_in2" {
-  description       = "Web access"
+  description       = "Web access from VPN"
   type              = "ingress"
   from_port         = 9200
   to_port           = 9200
@@ -181,7 +184,7 @@ resource "aws_security_group_rule" "alsi_worker_vpn_in2" {
   security_group_id = aws_security_group.alsi_worker_security_group.id
 }
 resource "aws_security_group_rule" "alsi_worker_vpn_in3" {
-  description       = "Test Splunk access"
+  description       = "Splunk access from VPN"
   type              = "ingress"
   from_port         = 9997
   to_port           = 9998
@@ -190,7 +193,7 @@ resource "aws_security_group_rule" "alsi_worker_vpn_in3" {
   security_group_id = aws_security_group.alsi_worker_security_group.id
 }
 resource "aws_security_group_rule" "alsi_worker_vpn_in4" {
-  description       = "Test HEC access"
+  description       = "HEC access from VPN"
   type              = "ingress"
   from_port         = 8088
   to_port           = 8088
@@ -200,14 +203,23 @@ resource "aws_security_group_rule" "alsi_worker_vpn_in4" {
 }
 resource "aws_security_group_rule" "alsi_worker_external_in" {
   # NLB requires the security group to allow access
-  description       = "Test Splunk access"
+  description       = "Splunk access via NLB"
   count             = local.alsi_splunk_nlb ? 1 : 0
   type              = "ingress"
   from_port         = 9997
   to_port           = 9998
   protocol          = "tcp"
-  cidr_blocks       = toset(concat(local.cidr_map["vpc-access"], local.trusted_ips, local.splunk_data_sources))
-  security_group_id = aws_security_group.alsi-alb-hec-sg.id
+  cidr_blocks       = local.data_sources
+  security_group_id = aws_security_group.alsi_worker_security_group.id
+}
+resource "aws_security_group_rule" "alsi_worker_hec_in" {
+  description       = "HEC access from Customer"
+  type              = "ingress"
+  from_port         = 8088
+  to_port           = 8088
+  protocol          = "tcp"
+  cidr_blocks       = local.data_sources
+  security_group_id = aws_security_group.alsi_worker_security_group.id
 }
 
 #----------------------------------------------------------------------------